Layered Security - It's Not Just for Networks

At this time of year, many of us like to surprise our family, friends, and colleagues with gifts that aren’t what they appear to be. A ring wrapped in the box your microwave came in. A sweater in a package weighted down with a few bricks. Or maybe a new suitcase that actually contains tickets for a trip. You get the picture – using deception for a pleasant surprise.

It strikes me that attackers like to ‘surprise’ their targets in much the same way – disguising threats as something they aren’t, but leading to a not so pleasant surprise. They may send emails that appear to be from a trusted source but instead include a link to a website or a file attachment infected with malware. There are targeted attacks that combine sophisticated social engineering with elusive methods to gain a persistent foothold within the network and exfiltrate critical data. There are entirely new zero-day attacks, unlike anything we’ve seen before and which traditional defenses can’t recognize. And techniques continue to change.

One of the latest methods is ‘snowshoe’ spam, so named because much like a snowshoe that has a large but faint footprint that is harder to see, the attacker spreads a lot of small messages across a large area to avoid detection by traditional defenses. Snowshoe spammers rapidly change body text, links, the IP addresses used to send from, and never repeat the same combination. The possibilities are seemingly endless.

These various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. That’s what we as defenders need to do with our defenses – use a security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. As security professionals we’re all familiar with the concept of defense-in-depth and multi-layered protection. Traditionally these approaches have been focused on the network, but they can and should be applied to email gateways as well.

Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

According to The Radicati Group, in 2014 businesses sent and received over 108.7 billion emails per day and by 2018 the number is expected to reach more than 139.4 billion. This fertile ground for attackers is making secure email gateways an increasingly important component of any cybersecurity strategy. However, conventional secure email gateways that operate at a point in time – only scanning once and based on one set of intelligence – have limited effectiveness. Today’s email-based attacks don’t occur at a single point in time and use multiple methods to evade detection. To bolster protection, organizations may turn to a set of disparate products that don’t – and can’t – work together. Clearly this approach isn’t conducive to effective security controls.

As you evaluate secure email gateway technology or revisit what you already have, be sure to ask the following questions for more effective protection against spam, blended threats, and targeted attacks:

1. How do you deal with the variety of types of spam and viruses? We all know that there is no such thing as 100% protection but we can reach the 99%+ range by layering and integrating multiple anti-spam engines and multiple anti-virus engines. A security architecture that tightly integrates multiple engines and allows them to automatically and seamlessly work together not only increases protection levels but also reduces false positive rates as they serve as a check and balance against each other. In addition, reputation filters that look at the reputation of the sender’s IP address can help protect against attacks like snowshoe spam that hijack IP address ranges.

2. How do you deal with blended threats that include links to websites laced with malware? Look for solutions that include web categorization and web reputation. With web categorization security administrators can set policies to allow only certain categories of web sites to be accessed. Web reputation assigns a reputation score to a URL based on a variety of data, including the length of time the domain has been malware-free, so you can set policies about whether or not a link can be accessed based on thresholds.

3. What happens if an attack still gets through – do I have any recourse? Because some sophisticated attacks manage to get through, you need advanced malware protection that includes retrospective security. Retrospective security continues to track files and analyze their behavior against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate.

4. What capabilities do you offer to help me stay ahead of emerging threats? To identify any trend you need to have visibility into data across a community. In this case, the ability to look at email and network security telemetry from a community of users together with other sources that track threats can give you the intelligence and lead time you need to proactively protect against emerging outbreaks. Look for vendors that include outbreak filters within their email security architecture and can leverage collective security intelligence to develop protections in real-time against new outbreaks.

We all appreciate surprises, but not in the form of a surreptitious email. Security professionals face an unprecedented number and variety of threats. Some are new, but many blend tried and true techniques to evade detection by traditional defenses. That’s why we need to layer a variety of defense techniques in new ways, integrate them, and use new approaches for more effective protection.

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.